Last week DocuSign, one of the market leaders in online eSignatures and contract execution and management, announced that it had discovered a data breach. The result? A targeted phishing campaign using social engineering gathered from the breached data to trick people into executing a document that is not a real DocuSign document.
If you are not familiar with DocuSign, here is an excerpt from their About Us page on their website. “DocuSign® is changing how business gets done by empowering more than 300,000 companies and 200 million users in 188 countries to sign, send and manage documents anytime, anywhere, on any device, with confidence.”
The phishing attack, which DocuSign acknowledges, targets those who have used DocuSign to sign and execute contracts in the past. It is doing this using data obtained from the breach. Through social engineering techniques, users are tricked into activating macro code in an attached Word document that loads malware onto the victims computers.
An important thing to note is that DocuSign never sends attachments and asks the recipient to open the attached file. That should be an immediate red flag. If you have used the system, you know that the document you are being asked to sign in the DocuSign system is presented within your web browser over a secure SSL session. You “sign” the document online and are then presented the option to download a PDF copy of your signed document. This should be an easy phish to spot, yet people are falling victim to it.
Here is a recommendation that has been put out in collaboration with KnowBe4, our partner in helping to educate our clients about risks like this:
“Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you into opening an attached Word file and click to enable editing.
But if you do that, malware may be installed on your workstation. So if you get emails that look like they come from DocuSign and have an attachment, be very careful. If there is any doubt, pick up the phone and verify before you electronically sign any DocuSign email. Remember: Think Before You Click.”
Simple, but important advice to always verify the source, especially when you are not expecting something that you have received.
DocuSign maintains a good site regarding their security posture at https://trust.docusign.com. I recommend you keep watch on this site if you are a regular DocuSign user.